X
Število kibernetskih napadov se je v zadnjem letu podvojilo. Vas zanima, kako se jim lahko izognete? Postanite del naše skupnosti.
In the last year, the number of cyberattacks doubled compared to the year before. Do you want to repel potential threats? Join our community.
  • Skip to primary navigation
  • Skip to main content
  • Skip to footer
Carbonsec – Cybersecurity Consultancy Services Company

Carbonsec - Cybersecurity Consultancy Services Company

Cybersecurity services for businesses to be hackerproof, because it sucks to waste unnecessary time dealing with cyber criminals instead of focusing on business.

  • Services
    • Password security test
    • Penetration test
    • Red Teaming
    • DDoS test
    • ICS Security
    • Cybersecurity Consulting
    • Secure Static Code Review
  • Solutions
    • Pentera Automated Penetration Testing Solution
    • SecurityScorecard Risk Rating and Supply Chain Security
    • Simulated phishing attacks
    • Free Tools
    • Breach and Attack Simulation (BAS)
  • Training
    • Security Awareness Training
    • Security for Developers
    • Purple Team Coaching
  • News
    • News
    • Blog
  • Resources
  • Company
    • About Us
    • Core Team
    • Careers
    • Partners
  • Contact
  • SLO
  • Email
  • Facebook
  • LinkedIn

Interview: Strong user awareness and secure passwords – how to get there?

Strong user awareness and secure passwords are two essential elements of cyber security. We discussed these topics and some other cybersecurity aspects in an interview with Borut Žnidar, CISO at Halcom d.d.

27. February, 2023 by Ana Bokalič

Secure passwords were one of the main topics in blog posts on cyber security trends at the end of last year. While there used to be a consensus in the past that strong passwords should contain upper and lower case letters, numbers and special characters and should be changed regularly, the new guidelines emphasise the importance of passwords as passphrases and authentication mechanisms such as FIDO2.

In the interview with Borut Žnidar, MSc, CISO at Halcom d.d., we discussed the changes in cybersecurity in recent years and how Halcom, a high-quality software solutions developer for the financial sector, addresses cyber security on the front line of defence – how they build user awareness and check password security.

Borut Žnidar, MSc

CISO, Halcom d.d.

Borut Žnidar, is an experienced information security professional, a proven information systems auditor, an ISACA-certified information systems auditor (CISA) and information security manager (CISM), and an information systems security professional (ISC)2 CISSP. Since 2018, he has been the CISO at Halcom d.d., where he is also responsible for ensuring cyber security.

    Halcom is a software development company that has been developing innovative and secure payment and financial solutions for three decades. Cybersecurity has been one of your top priorities for many years. You took the CISO position at Halcom four years ago; how has the world of cybersecurity changed since that time?

    Three key things related directly to my work have changed. The complexity of attacks has increased, not necessarily technologically but rather socio-technologically, as the human factor has become a critical element of successful attacks. We believe that attacks are not focused only on technology; they are an interplay of several more straightforward approaches. This brings us to the second significant change: attacks on people have become more complex. They are more creative, and the method increasingly takes human nature into account. And the third significant change: our country is no longer on the periphery. We could have considered Slovene as a part of cyber-protection, but now we can no longer rely on it. I recently used ChatGPT to instantly produce an excellent text in Slovene to simulate a fishing attack. People were used to recognising attacks by incorrect Slovene. But not anymore; we must constantly remind ourselves that correct Slovene is not a guarantee for the legitimacy of a message.

    Therefore, it is important to remind our employees what our security policy is and how we should act. The primary objective here is not to prevent attacks but to raise awareness. We want them to realise that technology is not the ultimate protection and that they must actively participate in the prevention process. To efficiently block cyber-attack attempts, we have to use a combination of technical solutions and employee awareness skills.

    A holistic approach to cybersecurity management includes using security devices and systems effectively, regular testing and verification, and ongoing user education. What has been your main focus in the post-covid time?

    Regarding technology, we dedicate more time to ensuring secure remote work. We are trying to protect remote work better and educate users on the subject. When working at home, employees simultaneously connect to corporate services on the corporate network, to corporate cloud services and – whether we want it or not – to private cloud services. Of course, these are not necessarily harmful, but they are private. The security of these three channels must be harmonised, and users should be able to work efficiently.

    The aim of security is not to stop users from doing their job but to enable them to do their job safely. I was pleasantly surprised when individuals came to me because they had sensed that something was not set up the way they thought it should be, and they had second thoughts about the security. I believe this is a very positive response because you realise that users consider security important, and you can use these inputs to improve the security of the work environment for everyone. We are also considering introducing additional technical solutions to enhance the control over remote access.

    The second part, which is also very important, is to educate and test users with simulated phishing attacks. We use the KnowBe4 platform and are very happy with the results. We run monthly campaigns, and the feedback from users as well as from the management, has been very positive. We have successfully presented our experience with the programme and the results to the entire Halcom group.

    What do you think is the weakest point of the IT system? Which attack vector is, in your opinion, the most difficult to detect and block?

    At the moment, I think the human factor is the most critical. In Halcom, we are working hard to mitigate this risk, and I believe we are going in the right direction.

    In recent months we have had relatively few “clickers” in our phishing attack simulations. We can count them on the fingers of one hand, and we are below the industry average. Furthermore, we see that more than half of our employees have correctly identified and flagged the test phishing message, which I consider a very high percentage. If employees flag phishing emails (test and real), I get a better insight into potential attacks and take action.

    So, you pay a lot of attention to training your employees in identifying social engineering attacks. Why did you decide to build your employees in this field systematically?

    A few years ago, phishing was generally considered to be a big problem. We first had the idea of writing attack simulations ourselves, but ultimately, we decided to try it with a platform. The price was acceptable, and we decided to take a one-year licence and test it.

    Given the results we achieved in the first year, there was no doubt that we would continue with the tests. The response has been good so far, even though there are some clickers with every campaign we send. When the number of clickers increases, we carry out additional activities to raise even more awareness. Once a user has failed a test, they are definitely more cautious in the following months. The platform could probably be used even better, as new educational content is always being added, and new functionalities for integration with other business tools are available. We currently run tests in English, but we also have plans to do them in Slovene. In the last year, we have introduced messages with more complex content as users sharpen their skills, and we adapt the simulations to their abilities.

    I would particularly like to highlight the high automation level of the solution, which works smoothly after the initial set-up without daily monitoring.

    If we look at the technical side of user awareness, we come to password security. Your company has recently tested the security of your employees’ passwords. Why did you decide to do this test?

    About three years ago, we changed our password policy. Previously, we had a policy which enforced complex passwords with lower- and upper-case letters, numbers and special characters. We used to change passwords every three months. We decided to change our password policy a few years ago when the US NIST* announced that such passwords were, on the one hand, not user-friendly and, on the other hand, no more difficult to crack. They recommended longer passwords, preferably in the form of passphrases and without unfriendly complex characters. When we introduced the new policy, I expected some reluctance or opposition from users, as well as from auditors. However, almost none of them complained. We explained to the auditors that the new policy follows the renowned NIST recommendations, which is a reputable institution, and there were no problems.

    The fact is that when you introduce a change like this, you do not know how it will work and what the consequences will be. Users changed their passwords; according to our new policy, we change them annually. But we did not know whether we actually had secure passwords. What would happen if someone managed to break into the network?

    Therefore, we decided to test the effectiveness of the policy by testing passwords. Besides, during the previous penetration test, some password hashes were caught, and some were also cracked, which was an additional motivation for the test. Therefore, we tested all the passwords stored in our active directory (AD).

    You probably had an idea of what the test result would be like before you started the project. To what extent do the actual test results match your expectations? In which direction do the results deviate?

    We had no specific expectations. Given that this was the first time we had run the test, I assumed that quite a few passwords would be cracked. But only a few of them were active user passwords, which is the result I was pleased with.

    However, we accidentally include old, inactive passwords in the hash database. These passwords were created according to the old password policy. It turned out that there were a lot of cracked passwords among them, so the test confirmed that the change in password policy was a step in the right direction.

    Based on the results, have you already implemented any measures to improve password security?

    First of all, users whose passwords were compromised changed their passwords accordingly.

    We had some concerns about what to do with the compromised passwords. Finally, we decided the test provider would not share the disclosed passwords with us. Users whose passwords were cracked were given the opportunity to contact the test provider to find out why the password could have been cracked.

    The feedback from users after the test was very positive, and the examples of cracked passwords also caught some interest. For example, how is it possible that a 24-character password was cracked? Some users shared their experiences with me, and we were able to use the anonymised data in our next internal training on information security and learned a lot from this test. We also got tips from the pentester on how to create reasonably secure passwords that are difficult to crack.

    The next step is to repeat the test to check that we have successfully corrected the detected errors.

    Finally, a more organisational question. There is a growing emphasis on the importance of managing cyber security “from the top” – at the board and management level. What is your opinion? Is the role of the CISO more a business or a technical one, and what skills are, in your opinion, essential to successfully manage cybersecurity in a large enterprise?

    I would say that a CISO is a person who is involved in the company at all levels. You need to have at least some technical knowledge to be able to discuss issues with system administrators and programmers. On the other hand, you need the support of the management to be able to talk to the technicians in the first place.

    It also depends on the size of the company. I can be involved in the whole vertical of our company, but in larger companies, the CISO function is often more isolated. From one point of view, this might not be the best option because it makes it harder to supervise the whole company and connect with other employees. In our company, the relationship is built on trust, and tight bonds exist throughout the organisation. This way, monitoring deviations from what we want and taking action is easier.

    Top five takeaways from the interview with Mr Borut Žnidar, CISO at Halcom d.d.:

    In recent years, cyber-attacks have become much more sociotechnically sophisticated. They include elements that successfully manipulate human nature to achieve their goals.

    The weakest link in cyber-security is the human being. Therefore, we have to enable users to work safely with advanced technical solutions on the one hand and continuously educate and train them to identify attacks through social engineering on the other.

    Employees must be aware that only technology will not save them from cyber attackers, but they must also actively take care of their own cyber security by acting responsibly.

    A strict password policy does not guarantee that secure passwords are used in your network, so it is a good idea to check them with a password security test.

    A password security test provides insight into the effectiveness of your security policy, and the result is recommendations for improvement.

    *NIST: https://www.nist.gov/

    Would you like to have your passwords tested?
    Get in touch.

    Blog,  News pentesting,  security awareness

    Let’s work together

    Get in touch with us and send some basic info about your project.

    Get Quote

    Footer

    ABOUT

    Cybersecurity services for businesses to be hackerproof, because it sucks to waste time dealing with cyber criminals instead of focusing on business.

    • Email
    • Facebook
    • LinkedIn

    CONTACT

    CARBONSEC Ltd.
    Hacquetova ulica 8
    1000 Ljubljana
    Slovenia

    info@carbonsec.com

    QUICK LINKS

    • Join our community.
    • Blog
    • Terms & Conditions
    • Privacy Policy
    • Cookies

    SERVICES

    • DDoS test
    • Penetration test
    • Red Teaming
    • ICS Security
    • Cybersecurity Consulting
    • Secure Static Code Review
    • Training

    Copyright © 2023 Carbonsec · Created by mod.si

    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
    Privacy & Cookies Policy

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT